Friday, June 23, 2017

The Darknet's Brickr Ransomware

Wapack Labs analysts observed an actor, on the darknet, advertising Brickr v1 Ransomware. Brickr v1’s purpose is “to be affordable, cheap and reliable product.” Buyers must contact the actor through Jabber or through the darknet forum's private messenger. Brickr v1 encrypts a user's personal files, if executed. To receive the decryption key, a ransom must be paid. As of 28 May 2017, Brickr v1 was for sale at $80.00 via Bitcoin (BTC). An article was published on how to remove Brickr Ransomware using task manager, which prompted the actor to include a new feature that will temporarily disable the task manager when executed. The actor revealed that Brickr v2 is under development and will include upgraded features. Wapack Labs will continue to monitor the forum, track all versions of this malware, and attempt to identify the actor.

Wapack Labs has cataloged and reported extensively on ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Monday, June 19, 2017

U.S. Corporate Concerns with China’s New Cybersecurity Law

On 1 June 2017, the Chinese government put an extensive new Cybersecurity law into effect. This law applies to all network operations in China, by Chinese citizens and foreign business operations alike. Many U.S. corporations operating in China have expressed concerns about how this law will impact their ability to operate under the more intrusive Chinese government control. The provisions with the potential for the greatest negative impact on foreign firms include:
  • Definition of network operators. The scope of the Cybersecurity Law provides control over not just telecom operators and internet firms but also banking institutions, insurance companies, securities companies, providers of cybersecurity products and services, and essentially any enterprise with a website in China or that provides network services. The American Chamber of Commerce in China has said the Law “will impact almost every company that operates in China.”
  • Requirements for “critical information infrastructure” operators. The Law defines these to include “public communications and information services, energy, finance, transportation, water conservation, public services, e-governance,” and other enterprises that could harm national security or the economy if damaged. Foreign corporations included in this category now face restrictions on equipment and services they can use, and they are vulnerable to inspection and intrusion by the Chinese government.
  • Restrictions on sending data outside China. The Law states that “personal information and other important data from operations within the PRC shall be stored within mainland China.” Business information and data on Chinese citizens cannot be transferred abroad without permission, and that would be contingent on intrusive “security assessments” by the Chinese government. Some U.S. analysis suggests that this could also prohibit the export of economic, technological, or scientific data considered to “pose a threat to national security or the public interest.”
The situation for foreign firms is uncertain at present because details on the scope of the Law and how it will be enforced are still unavailable. The initial impression among U.S. businesses is that the potential for intrusion and interruption is certainly considerable.

Wapack Labs has cataloged and reported extensively on China's cybersecurity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, June 16, 2017

OpIcarus2017, a Limited Risk

In June 2017, Wapack Labs Analysts observed a faction of the Anonymous collective attempting to launch OpSacred, which is the fifth phase of OpIcarus2017; a multiphase operation aimed to target central banks and other financial institutions (i.e.: International Monetary Fund and the World Bank). The campaign attracted hundreds of participants, yet failed to attract AnonOps support, create a dedicated IRC channel, attract experienced organizers, or followup after their initial start day - producing limited effects. While the operation has been badly organized, it may become a training ground for future hacker collaborations, especially since the Anonymous collective has been observed using GitHub to collect and share tools...READ MORE

Wapack Labs has cataloged and reported extensively on Anonymous' operations in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, June 9, 2017

IBNS Malicious Infrastructure Targets Financial Institutions

In the last days of May, Wapack Labs identified a large email delivery infrastructure targeting multiple industries including finance and transportation. Wapack Labs dubbed this network “IBNS”. The infrastructure consists of a single name server and over 17k typo-squatted domains. The size of this recently discovered IBNS network is unprecedented. Wapack Labs believes that IBNS is a malicious provider that uses web automation and reseller services to facilitate their criminal activities. The actors sell through channels, using resellers instead of selling direct, creating a level of separation between themselves and the users. Tactics Techniques and Procedures (TTPs) associated with the activity suggest attribution to a known Nigerian fraud group. 


I hear every day about the stupid users clicking through, and the CISO that talks about the problem being in the human. Honestly? I get kinda mad when I hear it. Why? These guys are using automated psychology to overwhelm, confuse and take advantage of unsuspecting users.

It means to me that the CISO who said it has never seen well crafted emails meant to slip past the goalie.  Or perhaps they don't understand the idea that users only have so much will power, or that my own out-of-band email account (an AOL account that I've had for probably 20 years) receives far more spam than it does legitimate email.

Bad guys are smart. They know that users have only a limited amount of will power, and after seeing hundreds of spam per day, the idea that some of them are going to be opened —out of sheer exhaustion and confusion, is 100%.

Overwhelm, confuse, create fatigue, repeat, add additional sources of confusion, repeat again.

ONE typosquat dump that we identified had over 17,000 domains that look a heck of a lot like credit card and payment company domains. CapitalOne? Capital1? CapitalONE? Capital-one? My typo squats are terrible but you get the idea. Imagine dozens of variations created programmatically and then used to overwhelm.

Folks, it's not about stupid users. It's about information security folks not understanding the strategy of fatigue and confusion and then how to protect those (your) lambs as they're being lead (by Nigerian scammers, Lazarus actors, or APT) to slaughter.  It's like the door to door salesman that keeps throwing features, prices, and deals at you until you sign just together the guy out of your house.  There's psychology involved.

…and you only need one to slip past the goalie to be infected, and many times, you'll have absolutely no idea that you've been p0wned.

Wapack Labs has been running this thing that we call the Cyber Threat Analysis Center. We scour primary sources to identify intended victims before they become victims. The graphic above is a sample of a report that we provide on a weekly basis to one of our folks. We give them normalized blacklists in periodic chunks of that they can drop into their defenses —either their intrusion prevention systems, SEIM, or whatever they have.  They can wait for us to give it to them or they can pull it programmatically via API on whatever frequency that they desire.

Want to know more? Drop us a note through the website, or at

OK folks.. it's our first nice day in a while up here in NH and that lawn (hay field?) isn't going to mow itself.

Oh, before I forget, if you're local, I hope to see some of you at our Granite State Security cookout Monday afternoon… nothing heavy, just burgers and beer but it's supposed to be nice. Let's have some fun! Here's the link to the meet up… I've invited the local Open Source community and security folks.

Have a great weekend!

Wednesday, June 7, 2017

Russia is Considering Ethereum's Blockchain Technology

Russian president, Vladimir Putin, recently met with Ethereum Cryptocurrency founder, Vitalik Buterin. Russia, in the past, has effectively banned Bitcoin use by its companies and is now likely switching to "use and control" emerging Blockchain technologies. Bitcoin is the original blockchain-based cryptocurrency and has become very popular in black markets, including online drug sales and cybercrime. Ether (token for Ethereum), is one of the alternatives growing fast in general popularity. Besides the currency function, Ethereum provides much more functionality: it is an open-source, public, blockchain-based distributed computing platform that features smart contact (scripting) functionality, which facilitates online contractual agreements. This makes Ethereum technologies of interest for major financial institutions and IT companies. Blockchain technologies are not bad per se, and many Western financial institutions are attracted to its use, but Russia's history of protecting black-hat hackers and controlling some online black markets make this development worrisome...READ MORE

Wapack Labs has cataloged and reported extensively on Russia, blockchains, and cryptocurrency in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


NK Lazarus Threat to the Financial Sector Remains High

Newly discovered Command & Control (C2) Internet Protocols (IPs) confirm the geolocation of North Korean threat actors, Lazarus Group; despite their deliberate attempts at misdirection. They are known for their custom-tailoring and reuse of code between malware families and campaigns. Since 2009, Lazarus Group has targeted Asian-based financial institutions, European and South American financial institutions, and media companies, such as Sony Pictures. Recent financial and trading sanctions, levied on North Korea, will increase the likelihood of attacks on financial sectors; similar to the documented attacks, leveraging the Society for Worldwide Interbank Financial Telecommunications (SWIFT), to compromise central banks...READ MORE

Wapack Labs has cataloged and reported extensively on financial compromise and the Lazarus Group in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Tuesday, June 6, 2017

Darknet Marketplace Exposes Financial Items on Global Scale

Wapack Labs Analysts are researching a Tor-based darknet marketplace that sells stolen financial items; credit cards, gift cards, and occasionally provides free dumps that exposed Personally Identifiable Information (PII) of individuals. New accounts are available every week and the marketplace's administrators claim they are 100% verified - how-to manuals are provided with transactions. The marketplace is operating on a global basis, their stolen products are from the US, EU, Oceania, and Russia. Further research is being conducted to identity the source of the stolen credit cards...READ MORE

Wapack Labs has cataloged and reported extensively on darknet marketplaces in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Tuesday, May 30, 2017

Targeting Online Video Gaming Virtual Currency

Wapack Labs is researching a cybercriminal group who is targeting online gamers and the video gaming industry. The group commonly uses digital certificates, stolen from online game developers, to sign their malware, thereby decreasing the risk of Anti-Virus (AV) detection. Americans alone spend an estimated $25 billion dollars a year on online video games. Many online games are MMORPGs (Massive Multiplayer Online Role-Playing Games), which run on virtual currency that is bought and sold with real money. Additionally, the group aims to steal source code from games under development in order to aid in virtual currency mining. We assess with high confidence that the cybercriminal group will continue to evolve and take advantage of the increasing online gaming industry...READ MORE

Wapack Labs has cataloged and reported extensively on targeting the gaming industry in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Cyber Espionage Targets Managed Service Providers (MSPs)

Wapack Labs Analysts assess with high confidence a growing cyber espionage campaign, with a Chinese nexus, that has been targeting Managed Service Providers (MSPs) in order to compromise multiple organizations. This campaign is responsible for intrusions in the United States, Europe, and Japan. Typical targets include construction, engineering, aerospace, telecom, and government institutions. The actors involved leverage a wide variety of tools and custom malware, allowing flexibility when it comes to the methods used for intrusion...READ MORE

Wapack Labs has cataloged and reported extensively on espionage campaigns in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Thursday, May 25, 2017

The LinkedIn, Dropbox, and Formspring Hacker: Yevgeniy Nikulin

Yevgeniy Nikulin is a potent Russian hacker responsible for major breaches including Linkedin, Dropbox and Formspring, as well as less known funds theft from a Bitcoin hedge fund and from individuals. After his arrest in Prague, Russia filed its own extradition request to fight the one from the US. There are unconfirmed allegations that Nikulin may have some insights on the 2016 Presidential Elections related hacking. Nikulin is a high-skilled dangerous hacker. While the true nature of his connections to the Russian government is unproven, it is possible that it prompted the legal help that he is getting...READ MORE

Wapack Labs has cataloged and reported extensively on hackers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Tor-base Site Operates Illegal Sales Under AES 256-bit Encryption

Wapack Labs discovered a Tor-based website conducting illegal financial sector activities; ranging from carding and counterfeit money to electronics and narcotics. The site, which requires no registration, claims that the forum is totally anonymous and highly secure; largely in part to encrypting all data with AES 256-bit encryption. The site provides a multi-signature escrow for all transactions; allowing safe Bitcoin (BTC) transactions between both parties...READ MORE

Wapack Labs has cataloged and reported extensively on Tor-based and carding activities in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Free Online Payment System Credentials: Contact SeƱor

Wapack Labs analysts exposed a threat to the financial sector, one who is actively posting in several clear web and underground forums. Within these forums, the actor creates threads of free, downloadable log-in credentials, for an online payment system. Analysts assess that it is likely that the actor is brute-forcing the accounts to obtain the passwords. A brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords - highly effective if the account uses simple passwords. The language, emails, and passwords indicate that the actor is a Spanish or Portuguese speaker, likely operating in South America...READ MORE

Wapack Labs has cataloged and reported extensively on Spanish speaking, threat actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


Wednesday, May 24, 2017

#Wannacry & the Virut Botnet

A new variant of Wannacry appears to be making a bad situation worse. Wapack Labs has recently identified a new malware specimen that is 75% similar to Wannacry. Instead of leveraging a “kill-switch” domain, the program uses a combination of several static domains as well as a domain generation algorithm (DGA) so as to bypass network based mitigations. Furthermore, the domains appear to be related to Virut (medium confidence), a cybercrime botnet in operation since 2006. A more detailed analysis on this development is pending.


Wapack Labs has cataloged and reported on Wannacry ransomware in the past.  An archive of related reporting can be found in the Red Sky Alliance portal.


Saturday, May 13, 2017

#WannaCry Update

…For Red Sky Alliance members:

A new #WannaCry report, including malware analysis and discussions of the backdoor are now available for members in the Red Sky Alliance portal. As well, a demonstration of one of the backdoor techniques used yesterday and today are discussed in an April 22nd Red Sky Alliance post by Wapack's JB, entitled "ShadowBrokers EQGRP's FuzzBunch Windows 0day framework - Install, Use, Mitigations." It's a good read.

Friday, May 12, 2017

Equation Group's Exploit is Operating Globally: #WannaCry Ransomware

Wapack Labs is tracking a reported ransomware attack on various countries affecting operations in the health and financial sectors. The malware has been titled: WCry, WannaCry or WanaCrypt0r ransomware. Open source reporting indicates that Russia, Ukraine, Taiwan, Spain, and the United Kingdom are being targeted. CCN-CERT (SP) has confirmed the malware propagates through the leaked Equation Group ETERNALBLUE SMB exploit. Microsoft Security Bulletin MS17-010 details mitigations for this exploit.

Wapack Labs has cataloged and reported extensively on ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.